Wildcard action specified in API Gateway access policy Affecting API Gateway (REST APIs) service in AWS

Snyk CCSS

IAM / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CSA-CCM ISO-27001 SOC-2

Snyk ID SNYK-CC-00265
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Granting permission to perform any action is against the security principle of least privilege.

How to fix?

Remove * values from Action in policy document. Add specific permissions only, such as execute-api:Invoke.

Example Configuration

resource "aws_api_gateway_rest_api" "example" {
  name = "example-rest-api"
}

resource "aws_api_gateway_rest_api_policy" "allowed" {
  rest_api_id = aws_api_gateway_rest_api.example.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:user/test-user"
        ]
      },
      "Action": "execute-api:Invoke",
      "Resource": "aws_api_gateway_rest_api.example.execution_arn",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "123.123.123.123/32"
        }
      }
    }
  ]
}
EOF
}

Terraform

References

Apply least-privilege permissions